#!/bin/bash

# ================================================================================
# check-for-osx-malware.sh
#
# Simple script to check the existance of files used by:
# - Backdoor:OSX/MacKontrol.A
# - Backdoor:OSX/Olyx.C
# - Backdoor:OSX/Sabpab.A
#
# Checks are based on information from F-Secure's database:
# http://www.f-secure.com/v-descs/
#
#
# Hannes Juutilainen, hjuutilainen@mac.com
#
# History:
# 2012-04-18, Hannes Juutilainen
# - First version
# ================================================================================

VERBOSE=false
DID_FIND_FILES=false

FILES_TO_CHECK=(
"/Applications/Automator.app/Contents/MacOS/DockLight"		# Backdoor:OSX/Olyx.C
"/Library/launched"											# Backdoor:OSX/MacKontrol.A
)

USERFILES_TO_CHECK=(
"Library/Preferences/com.apple.PubSabAgent.pfile"			# Backdoor:OSX/Sabpab.A
"Library/LaunchAgents/com.apple.PubSabAgent.plist"			# Backdoor:OSX/Sabpab.A
"Library/LaunchAgents/com.apple.FolderActionsxl.plist" 		# Backdoor:OSX/MacKontrol.A
"Library/LaunchAgents/com.apple.DockActions.plist" 			# Backdoor:OSX/Olyx.C
)


# ================================================================================
# Check for root
# ================================================================================
if [[ $EUID -ne 0 ]]; then
    echo "This script must be run as root" 2>&1
    exit 1
fi


# ================================================================================
# Arguments
# ================================================================================
while [[ -n "$1" ]]; do
    case $1 in
        -v | --verbose )
        	shift
            VERBOSE=true
            ;;
        * )
        	printf "Unrecognized arguments\n"
            exit 1
    esac
    shift
done


# ================================================================================
for INFECTION_FILE in "${FILES_TO_CHECK[@]}"
# ================================================================================
do
	if $VERBOSE; then
		printf "\n%b\n" "Checking for $INFECTION_FILE"
	fi
	if [[ -f "$INFECTION_FILE" ]]; then
		printf "%b\n" "===> WARNING: Found $INFECTION_FILE"
		DID_FIND_FILES=true
	elif $VERBOSE; then
		printf "%b\n" "---> File doesn't exist in $INFECTION_FILE"
	fi
done


# ================================================================================
for USERFILE in "${USERFILES_TO_CHECK[@]}"
# ================================================================================
do
	if $VERBOSE; then
		printf "\n%b\n" "Checking for /Users/*/$USERFILE"
	fi
	shopt -s nullglob
	USER_HOMES=/Users/*
	for f in $USER_HOMES
	do
		if [[ -f "$f/$USERFILE" ]]; then
			printf "%b\n" "===> WARNING: Found $f/$USERFILE"
			DID_FIND_FILES=true
		elif $VERBOSE; then
			printf "%b\n" "---> File doesn't exist in $f/$USERFILE"
		fi
	done
	shopt -u nullglob
done
if $VERBOSE; then
	printf "\n"
fi


# ================================================================================
printf "%b" "Results: "
# ================================================================================
if $DID_FIND_FILES; then
    printf "%b\n" "WARNING: System tested positive on at least one of the tests."
else
	printf "%b\n" "System is clean."
fi

exit 0
